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i:n.the.claims 

Amended claims follow: 

1 . (Currently Amended) A computer-implemented method for execution with computer 
code embodied on a tangible computer readable medium for detecting intrusions on a 
network, comprising: 

storing signature profiles identifying patterns associated with network intrusions 
In a signature database; 

generating classification rules based on said signature profiles; 

receiving data packets transmitted on the network; 

classifying data packets having corresponding classification rules according to 
said generated classification rules; 

forwarding said classified packets to a signature engine for comparison with 
signature profiles; and 

performing a table lookup to select an action to be performed on said classified 
packets based on the classification; 

wherein the classification is carried out by a first classification stage capable of 
classifying the data packets based on a first set of packet characteristics, and a second 
classification stage capable of classifying the data packets received from the first 
classification stage based on a second set of characteristics; 

wherein one of the actions is comparing said classified packets to at least a subset 
of the signature profiles; 

wherein the first set of packet characteristics includes. at least one of a destination 
address, a protocol type, and a destination port number; 

wherein the second set of packet characteristics includes at. least one of a packet 
ty pe.and.a.size. 



2 . (Original) The method of claim 1 further comprising dropping data packets without 
corresponding classification rules. 
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3. (Original) The method of claim I wherein classifying said packets comprises 
classifying said packets according to at least one packet field into groups. 

4. (Original) The method of claim 3 further comprising classifying said packets within 
each of the groups according to packet type or size. 

5. (Original) The method of claim 4 wherein classifying said packets according to packet 
size or type comprises classifying said packets according to TCP flags. 

6. (Original) The method of claim 4 wherein classifying said packets according to packet 
size or type comprises classifying said packets according to packet length. 

7. (Original) The method of claim 3 wherein classifying said packets according to at 
least one packet field comprises classifying said packets according to protocol type. 

8. (Original) The method of claim 3 wherein classifying said packets according to at 
least one packet field comprises classifying said packets according to destination port 
number. 

9. (Original) The method of claim 3 wherei n classifying said packets according to at 
least, one packet tield comprises classifying said packets according to destination address. 

10. (Cancelled) 
I S. (Cancelled) 

12. (Previously Presented) The method of claim 1 wherein one of the actions of the table 
is dropping the packet. 

1.3. (Previously Presented) The method of claim 1 further comprisi ng generating an alert 
following the table lookup. 
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14. (Previously Presented) The method of claim 1 wherein the lookup is performed in a 
flow table and further comprising updating a field of the flow table. 

15. {Original) The method of claim 1 further comprising partitioning signatures into 
disjoint groups to define subsets of signature profiles. 

16. (Original) The method of claim 15 further comprising comparing said packets to at 
least one of the subsets of signature profiles. 

17. (Original) The method of claim 1 further comprising filtering said received packets. 

18. (Original) The method of claim 1 wherein receiving said packets comprises capturing 
said packets at a network analysis device. 

1 9. (Original ) The method of claim 18 further comprising decoding protocols after 
receiving said packets. 

20. (Currently Amended) An intrusion detection system including a tangible computer 
readable medium comprising: 

a signature classifier comprising a first stage classifier operable to classify packets 
according to at least one packet field into groups and a second stage classifier operable to 
classify said packets within each of the groups according to packet type or size; 

a flow table configured to support table lookups of actions associated with 
classified packets; 

a signature database for storing signature profiles identifying patterns associated 
with network intrusions; and 

a detection engine operable to perform a table lookup at the flow table to select an 
action to be performed on said classified packets based on the classification, wherein 
comparing said classified packets to at. least, a subset of the signature profiles is one of the 
actions,. 
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vhei n ssilyim id packet < >rd gtpaj .1 t 1 > 1 e in Id < niprises 
classifying said packets according to at least one of a desti nation address, a protocol type, 

2 1 . (Original) The system of claim 20 further comprising a data monitoring device 
having a capture engine operable to capture data passing through the network and 
configured to monitor network traffic, decode protocols, and analyze received data. 

22. (Previously Presented) The system of claim 21 further comprising application 
program interfaces configured to allow the intrusion detection system access to 
applications of the data monitoring device to perform intrusion detection. 

23. (Origi nal) The system of claim 21 further comprising a parser operable to parse, 
generate, and load signatures at the detection engine. 

24. (Original.) The system of claim 21 further comprising an alarm manager operable to 
generate alarms. 

25. (Original) The system of claim 21 further comprising a filter configured to filter out 
packets received at the intrusion detection system. 

26. (Original) The system of claim 21 further comprising a capture engine configured to 
forward packets and temporarily store packets for later analysis by the data monitoring 
device. 

27. (Original) The system of claim 20 wherein the flow table is a hash table. 

28. (Original) The system of claim 20 wherein action options listed in the flow table 
include dropping the packet and generating an alarm. 
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29. (Original) The system of claim 28 wherein action options further include dropping 
the packet and updating one or more fields of the flow table. 

30. (Currently Amended) A computer program product embodied on a tangible computer 
readable medium for detecting intrusions on a network, comprising: 

code that stores signature profiles identifying patterns associated with network 
intrusions in a signature database; 

code that generates classification rules based on said signature profiles; 

code that receives data packets transmitted on the network; 

code that classifies data packets having corresponding classification rules 
according to said generated classification ailes; 

code that forwards said classified packets to a signature engine for comparison 
with signature profiles and stores signature profiles identifying patterns associated with 
network intrusions in a signature database; and 

code that performs a table lookup to select an action to be performed on said 
classified packets based on the classification; 

wherein the classification is carried out by a first classification stage capable of 
classifying the data packets based on a first set of packet characteristics, and a second 
classification stage capable of classifying the data packets received from the first 
classification stage based on a second set of characteristics; 

wherein one of the actions is comparing said classified packets to at least a subset 
of the signature profiles;. 

wherein the first s^ 
address, a protocol type, and a destination port number; 

u hot cm the second set ol paiU i i < e m oik ol a packet 

type and a size . 

31. (Currently Amended) The method of claim L wherein the first set of packet 
characteristics includes at least oneofat he destination address, [[a]]the protocol type, and 
j'j'a'j'jthe destination port number. 
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32. (Currently Amended) The method of clai m 1 , wherein the second set of packet 
characteristics includes th eatrfea stoH e of* packet type and [|a]]the size. 

33. (Previously Presented) The method of claim 1, wherein only the second classification 
stage remains in communication with a flow table for identifying an action to he taken 
with respect to the data packets. 

34. (Previously Presented) The method of claim 33, wherein the flow table is at least one 
hash table. 

35 {Previously Presented) The method of claim !, wherein the classification Riles are 
generated after filtering the data packets. 

36. (New) The method of claim 33, wherein the action includes dropping at least one of 
the data packets and updating one or more fields in the flow table. 

37. (New) The method of claim 32, wherein the packet type is determined based on a 
TCP flag. 



